On Thu, Nov 18, 2021 at 09:47:03AM -0700, Grant Taylor via bind-users <bind-users@lists.isc.org> wrote:
> On 11/18/21 3:14 AM, Mark Elkins wrote: > > With IPv6 - you might want to use NSEC3 - as there can be huge holes in > > the reverse zone. Make the bad guy work at guessing what is in the zone. > > Be mindful of current efforts for minimizing NSEC3 rounds / iterations which > purportedly have a diminishing RoI for higher counts. > -- > Grant. . . . > unix || die According to "Guidance for NSEC3 parameter settings" https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00 the recommendation is: nsec3param iterations 0 optout no salt-length 0; cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
